Credit Card Encryption (code)

[Guest]

The server will need PHP with mcrypt but it's a start.

 

Payment info form:

 

$key = "pleasechangethesecretkey";

// Encryption...

 $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, "");

 srand((float)microtime() * 1000000);

 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);

 mcrypt_generic_init($td, $key, $iv);

 $cc_number = mcrypt_generic($td, $cc_number);

// store CCNum|iv

 $cc_number = $cc_number."|".$iv;

 

Now that will put the CC into the DB encrypted. But to get it out it would look like this:

 

	$key = "pleasechangethesecretkey";

$cc_result = mysql_query("SELECT cc_number FROM orders WHERE order_id=$_GET[order_id]");

list($cc_number, $iv) = mysql_fetch_row( $cc_result );



if ( $cc_number ) {

// Decryption ...

 list($cc_number, $iv) = explode("|", $cc_number);

 $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, "");

 mcrypt_generic_init($td, $key, $iv);

 $cc_number = mdecrypt_generic($td, $order_cc_number);

 // replace CCNum w/ XXX's etc...



}



echo "$cc_number";

 

Let me know if this is a bad idea, or needs work.

[Guest]

forgot to mentiuon that I made this for a homebuilt store that I use elsewhere. This DOES work.

[Harald Ponce de Leon]

Please remember that it is only secure as much as the key is secure.

[Harald Ponce de Leon]

Please remember that it is only secure as much as the key is secure.

 

..not in the sense of a hard to guess password, but how to access the password as it is plain text and resides on the server.

[Guest]

Yeah ...

 

I have been trying ot think of a way to have it dynamicly created. Like some sort of random # generator. Cause I don't care to know the key. If I can't decrypt the CC, I will just call and ask for it.

 

Ideas?

[Guest]

Maybe have the key be the session ID? Cause if they login and proceed to order they will have a session ID in the DB (at least for my store).

 

Would just have to figure out how to call it back up.